iptables generic INPUT rule

Bill Davidsen davidsen at tmr.com
Thu Nov 8 23:38:22 UTC 2007


Joe Tseng wrote:
> I recall seeing an example rule where the person allowed all established 
> connections; it went something like this:
> 
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> Is this a safe generic rule to have?  Or is it better for me to state 
> every case explicitly?

Good, safe, and should be first. Rules are processed in order, so you 
reduce the overhead by putting the most likely case first, in this case 
ESTABLISHED.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot




More information about the fedora-list mailing list